Jump to content

is my movie invoking my php file securely?


ajoo

Recommended Posts

Hi all,
 
I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. 
 
I have the headers information below:
 
index.php?ppage (logged in)
REQUEST HEADER     
Cookie: PHPSESSID=2tianhri55rl74u42u9jcq90c6; sec_session_id=pmobdo0j6r3o8lt01umcun5ib6
 
RESPONSE HEADER
Set-Cookie: sec_session_id=k74hno7len92op5c7s4lc51oc7; path=/; HttpOnly
 

 

 

best.php?r='xxxx..' (invoked the embedded movie that invokes best.php)
REQUEST HEADER    
Cookie: PHPSESSID=2tianhri55rl74u42u9jcq90c6; sec_session_id=k74hno7len92op5c7s4lc51oc7
 
RESPONSE HEADER 
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 11 Apr 2018 13:22:44 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Vary: Accept-Encoding
 

 

 

I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one.  I hope I am able to convey my doubt clearly enough. 
 
I hope that the experts can either confirm or allay my fears.
 
Thanks all.
 
Link to comment
Share on other sites

There is no 100% safe method because everything must be initiated by the client and you cannot control exactly what happens on a user's computer.

 

How much effort do you want to put into this? What do you see as the cost/benefit ratio for addressing this? What is the problem if someone calls the script without the movie?

Link to comment
Share on other sites

Hi dalecosp & requinix, 

 

Thanks for the replies. 

 

@dalecosp :

 

 Check the "network" tab in the console?   

hmm, that's what I did and that's where I got the response and request headers from.  What should i further check for under the network tabs?

 

@requinix :

 

 

How much effort do you want to put into this?

 

I think I have already put in quite a bit.  :)

 

 

 

What is the problem if someone calls the script without the movie? 

If possible, that is what i would like to prevent. The first movie is a dummy to load another through the script. The first movie checks for the domain and if it is on the correct one, it loads the 2nd movie via the php script. Right now I am not sure if the script can be run without the movie or not.

 

I know that movies are never truly safe, yet I want to make it as safe as i can by making it difficult to access. 

 

Thanks.

Link to comment
Share on other sites

That Network tab will give away the second movie URL as soon as the browser starts to load it, so you have to make sure it can't be reused.

 

1. Movie creates a hash of the current time + the domain + a secret key

2. Second movie URL includes that same time, the domain, and the hash

3. URL verifies (a) that the time is recent, like +/- 5 minutes, and (b) that the hash matches what it expects to see

 

The hash method should be something nicer than mere MD5 or SHA1. HMAC would be good.

Link to comment
Share on other sites

Hi requinix,

 

Thanks loads ! 

 

That Network tab will give away the second movie URL

 

The network tab won't give away the movie URL since I am not using a URL to load the movie.

 

Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie?

 

Maybe that's what you are saying and i am interpreting it wrong?

 

Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key. 

 

Thanks loads.

Link to comment
Share on other sites

The network tab won't give away the movie URL since I am not using a URL to load the movie.

Then... how are you loading it? Where is it coming from?

 

Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie?

Sure, the server could do it too. In fact that would be better.

 

Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key.

See the examples in the docs for hash_hmac.
Link to comment
Share on other sites

Hi requinix !

 

Thanks for the reply. 

 

 

 

Then... how are you loading it? Where is it coming from?

 

I am passing it through as a encoded string into the loading movie. It works.

 

 

 

See the examples in the docs for hash_hmac

Maybe you could just demonstrate how to use the timestamp, domain and a message together with the secret key. The function usage is straight forward. 

 

 

 

Sure, the server could do it too. In fact that would be better.

 

Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions.

 

If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ?

 

I hope this is clear to you. 

 

Thanks a ton.

Link to comment
Share on other sites

The entire second movie is serialized as a string, passed to the first movie, then deserialized and played?

 

Okay, then encrypt the string using a key that's partially derived from the time. Pass the time to the player so it can (validate and) construct the same key to decrypt the movie.

Most any encryption algorithm will work for it.

Link to comment
Share on other sites

Hi requinix 

 

 

 

The entire second movie is serialized as a string, passed to the first movie, then deserialized and played?

yes that's correct !

 

If I may bring to your attention to some of the questions I asked previously.

 

Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions.

 

If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ?

This is to tie best.php to the session to ensure greater level of security perhaps.

 

 

and finally

 

 

 

Okay, then encrypt the string using a key that's partially derived from the time. 

 

I am not sure how to create this key using different parameters. Please illustrate with a small example code if that is not too much trouble. 

 

Thanks loads.

Link to comment
Share on other sites

I didn't answer not just because I couldn't understand what you were asking but because they pertained to stuff I said earlier which is irrelevant since there's now only one page load (the one that includes the first movie and second movie's data).

 

The main thing I don't know is what you have available to use in ActionScript as far as cryptography goes. The correct tool here is called key derivation, which is a way to create an encryption key given some data that's not good enough to be used as a key on its own. You could do it in PHP but ActionScript is the question...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.